Primary

Context

Trog::TOTP Predictable Secret Generation Vulnerability in Perl

Vulnerability

A vulnerability exists in Trog::TOTP versions prior to 1.006 for Perl, where the library generates secrets using the built-in rand function. This method of random number generation is predictable and not suitable for secure applications. The issue has been addressed in version 1.006, which replaces the built-in rand with Crypt::PRNG::rand, a more secure alternative.

Impact

The vulnerability allows for the generation of predictable secrets, which could be exploited in scenarios where secret randomness is critical, such as in time-based one-time password (TOTP) generation.

Remediation

Users can upgrade to Trog::TOTP version 1.006 or later to address this vulnerability.

Added: May 15, 2026, 6:19 PM

Updated: May 15, 2026, 6:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

8.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

8.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Trog::TOTP Predictable Secret Generation Vulnerability in Perl

Vulnerability

Impact

Remediation

Affected Products

Trog::TOTP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating